Connecting the world…

configuration

ISA Server 2006 array – renew certificate

When configuring a Microsoft ISA Server 2006 array you have two options for authentication and communication between the Microsoft ISA 2006 Configuration Storage Server and the array members.

  • Windows Authentication: Choose this option if ISA server and the Configuration Storage server are in the same domain, or in different domains with a trust relationship between them. The connection will be encrypted (signed and sealed);
  • Authentication over SSL encrypted channel: Choose this option if ISA server is in a domain that does not have a trust relationship with the Configuration Storage server domain, or if it is part of a workgroup. The connection will be SSL encrypted.

I normally configure the array members within a DMZ environment en install the CSS server on the internal network.

To maximize the security the array members aren’t part of the Active Directory. So communication between the CSS and the array members is workgroup based and the authentication type used is Authentication over SSL encrypted channel. This option needs the configuration of SSL certificates to authenticate and secure the connection. The certificates have a certain validity period, after which the certificate needs to be renewed.

Normally I always ran the repair option from the installation and specified the new certificate. I discovered a new and simpler method by using the ISACertTool. This tool provides an easy way to renew the certificate on the Configuration Storage Server and the root CA certificate on the array members.

You just need to create a web server certificate in pfx format from a Windows CA server of any other CA server. If the CA server isn’t trusted by the array members, you need to install the CA certificate on the array members. If you use trusted CA server certificate, you can skip this step.

The syntax for the ISACertTool is very straightforward. On the Configuration Storage Server you need to run the following command:

ISACertTool.exe /st <pfx file> /pswd <password> /keepcerts

On the array member you run the following command to install the root CA certificate.

ISACertTool.exe /fw <root ca file>

IMPORTANT: for a correct usage of the tool you need to extract the tool to the Microsoft ISA Server install directory, which is by default C:\Program Files\Microsoft ISA Server.

AutoQos error while generating commands

First of all, the post isn’t about explaining QoS. Configuring AutoQos on Cisco switches should be very easy. At least, that is what all the Cisco documentation tells you. I always thought that the statements about configuration AutoQos were true, but a few days ago I would disagree.

I was configuring multiple switches, Cisco Catalyst 2960-24PC-L switches to be more precise. The switches are configured with a default template, which is generated according the needs of the customer. I uploaded the most recent software into the switches, which is 12.2(55)SE. The customer is going to use an Avaya IP telephony environment, so I tried to apply the appropriate AutoQos command to an interface. After applying the command, I received the following error:

AutoQoS Error while generating commands on Gi0/2

The switches didn’t have any QoS configuration before applying the command. Searching multiple forums didn’t gave me a valid solution. I did my own research and found an incompatibility with the configuration mode exclusion command, like shown below:

configuration mode exclusive auto expire 500 lock-show config-wait 5 retry-wait 5

I removed the configuration mode exclusion command and the AutoQos commands can be implemented without errors. I tried to find why it isn’t possible to apply the AutoQos commands while the configuration mode exclusive command is enabled.

I guess the problem is that the configuration mode exclusive commands prevents other users or the auto-generation of commands to be executed. When applying the AutoQos commands, the commands are executed by the router / switch and not by the user who locked the cli.

Configuration Mode Locking

While browsing some networking related blogs, so stumbled on a nice new feature in Cisco IOS on 6200networks.com. The feature prevents multiple users from changing the configuration of a network component simultaneous. This feature, configuration mode locking, is available in two different modes:

  1. Automatic – the session is locked, when you log in to the component;
  2. Manual – you can decide when to lock the configuration session;

Looking at the IOS commands, configuring configuration locked is very simple. Let’s check out the available options:

SW01#conf t

SW01(config)#configuration mode exclusive [auto | manual]

When using the keyword auto the session is automatically locked as soon as you log in to the specific network component. When using the keyword manual, you can decide when to lock the session. The lock the session manually, you use the following command:

SW01#configure terminal lock

SW01#

Configuration mode locked exclusively. The lock will be cleared once you exit out of configuration mode using end/exit

The status of configuration locking can be viewed with the command:

SW01#show configuration lock

Parser Configure Lock
———————
Owner PID        : 261
User             : booches
TTY              : 1
Type             : EXCLUSIVE
State            : LOCKED
Class            : EXPOSED
Count            : 1
Pending Requests : 0
User debug info  : configure terminal lock

This feature is very useful in environments where multiple system engineers could log in and configure the same network component.

eSafe Configuration Restore

Some of our customers use eSafe as forwarding proxy for SMTP and HTTP scanning. Today I had to restore an eSafe, which is configured in NitroInspection II Router mode. I had created a backup configuration file from the running eSafe server and installed a new eSafe server with the default settings.

After the installation I connected my laptop to the eSafe server and opened the default browser page:

https://<IP Addr>:37233

After logging in with the default username (admin) and password (esafe), I browsed to the backup configuration file and started restoring to this configuration. The eSafe appliance needs to reboot after the restore.

I know noticed that after the initial restore and reboot, the eSafe server lost the IP configuration from both NIC’s in the server. I had to restore the IP settings manually, which can be done by editing the following files:

  1. /etc/sysconfig/network-scripts/ifcfg-eth0
  2. /etc/sysconfig/network-scripts/ifcfg-eth1

I always forget the syntax when editing the networking files, so I had to search the internet for the correct syntax. Below the configuration of eth0.

DEVICE=eth0
IPADDR=192.168.3.2
NETMASK=255.255.255.0
NETWORK=192.168.3.0
BROADCAST=255.255.255.0
GATEWAY=192.168.3.1
ONBOOT=yes

After rebooting the network service (/etc/init.d/network restart) I was able to communicate with the eSafe server and everything looked normal, but it wasn’t. I noticed that the service eSafe wasn’t able to start.

Contacting eSafe resulted in re-installing the eSafe appliance from scratch. Manually configure the correct IP settings through the web interface and only restore the file /opt/eSafe/eSafeCR/esafecfg.ini. Next I rebooted the server and this time the configuration was restored and the service was running.

eSafes technical personnel told me that the problem could arise, when restoring the tar.gz file to different hardware, and that’s exactly what I tried.

Port-channel configuration for VMWare

I received some e-mails from people asking for configuration examples for Cisco switch in conjunction with VMWare servers. That is why I post the configuration (I normally use) beneath. This configuration enables a 802.1Q trunk connection between the switch and the VMWare server. This configuration requires the VMWare server to use VLAN tagging. The Port-channel consist two physical GigabitEthernet interfaces.

Configuration Example:

port-channel load-balancing src-dst-ip
!
interface Port-channel1
description 802.1Q to VMWare
switchport trunk encapsulation dot1q
switchport nonegotiate
switchport mode trunk
spanning-tree portfast trunk
!
interface GigabitEthernet1/0/1
description Member Po1
switchport trunk encapsulation dot1q
switchport nonegotiate
switchport mode trunk
no cdp enable
channel-group 1 mode on
spanning-tree portfast trunk
!
interface GigabitEthernet2/0/1
description Member Po1
switchport trunk encapsulation dot1q
switchport nonegotiate
switchport mode trunk
no cdp enable
channel-group 1 mode on
spanning-tree portfast trunk

CDP is the Cisco propriatery Cisco Discovery Protocol. CDP can be usefull when trying to discover attached network components. VMWare supports CDP, so it could be enabled on the interfaces. The usage of CDP can help to see which switch port connects who which NIC on the ESX server.